Debian Security Advisory
DLA-385-2 isc-dhcp -- LTS security update
- Date Reported:
- 19 Jan 2016
- Affected Packages:
- isc-dhcp
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-8605.
- More information:
-
With the previous upload of the isc-dhcp package to Debian Squeeze LTS two issues got introduced into LTS that are resolved by this upload.
- (1)
CVE-2015-8605 had only been resolved for the LDAP variant of the DHCP server package built from the isc-dhcp source package. With upload of version 4.1.1-P1-15+squeeze10, now all DHCP server variants (LDAP and non-LDAP alike) include the fix for CVE-2015-8605. Thanks to Ben Hutchings for spotting this inaccuracy.
- (2)
The amd64 binary build of the previously uploaded isc-dhcp version (4.1.1-P1-15+squeeze9) was flawed and searched for the dhcpd.conf configuration file at the wrong location [1,2,3]. This flaw in the amd64 build had been caused by a not-100%-pure-squeeze-lts build system on the maintainer's end. The amd64 build of version 4.1.1-P1-15+squeeze10 has been redone in a brand-new build environment and does not show the reported symptom(s) anymore.
I deeply apologize for the experienced inconvenience to all who encountered this issue.
[1] https://bugs.debian.org/811097
[2] https://bugs.debian.org/811397
[3] https://bugs.debian.org/811402For Debian 6
Squeeze
, these issues have been fixed in isc-dhcp version 4.1.1-P1-15+squeeze10 - (1)